Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

f50e655ae9...97.exe

windows7-x64

8

f50e655ae9...97.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    153s
  • max time network
    44s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    11/10/2022, 11:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f50e655ae92bbb753e145cbb905a985db854cafd4af7b60a30ca88010f912797.exe

  • Size

    341KB

  • MD5

    6cadb955f78ae587d525ee714fc431d0

  • SHA1

    23be952782126ed5f9a26223e1fba8dc5a5fda30

  • SHA256

    f50e655ae92bbb753e145cbb905a985db854cafd4af7b60a30ca88010f912797

  • SHA512

    a3b1f64e1e4ae391eff08d5edd94e47dd3b8e60819819a102e8a06bc7baa4a86e55cd0c00b113b780d65abe9a86b4301048295b6352c73d972b16e5ba9aff515

  • SSDEEP

    3072:/BI5ArKGCnhgU1XA+ArXjeaMoh6lgUaVwQ+/76bSSN+PS7VyoCeJ6ikm6bm:/K5ArKjbAxXSaegUqGeGpBohMb

Score
8/10
persistence

Malware Config

Signatures

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of FindShellTrayWindow 12 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of UnmapMainImage 9 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of UnmapMainImage
    PID:1212
    • C:\Users\Admin\AppData\Local\Temp\f50e655ae92bbb753e145cbb905a985db854cafd4af7b60a30ca88010f912797.exe
      "C:\Users\Admin\AppData\Local\Temp\f50e655ae92bbb753e145cbb905a985db854cafd4af7b60a30ca88010f912797.exe"
      2⤵
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:1132
      • C:\Users\Admin\AppData\Roaming\Presetup\icsuskey.exe
        "C:\Users\Admin\AppData\Roaming\Presetup\icsuskey.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1696
        • C:\Users\Admin\AppData\Local\Temp\~5909.tmp
          "C:\Users\Admin\AppData\Local\Temp\~5909.tmp"
          4⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:472
      • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
        "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\~5FEC.tmp.doc"
        3⤵
        • Drops file in Windows directory
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:588
        • C:\Windows\splwow64.exe
          C:\Windows\splwow64.exe 12288
          4⤵
            PID:616
    • C:\Windows\SysWOW64\dcomperf.exe
      C:\Windows\SysWOW64\dcomperf.exe -k
      1⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:1596

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\~5909.tmp
      Filesize

      6KB

      MD5

      80bcb0449794dd6c238433a3bd26f5a0

      SHA1

      8401251d30803d2bbf0b5b30c027f7446c2d0542

      SHA256

      e07abfe8de7d8acdf74f2ffd3b84e2bd1dbaac5eeffceef4051e21bbc3f02bba

      SHA512

      c5d8a80acf601b19a1cdeb6f129ba37fb3620ddd031c5cd67f8f1e1e26247f3243b884d4bb305f614b794aec42820c69373644309e79c4066c6df7c0f6fc2870

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\~5FEC.tmp.doc
      Filesize

      23KB

      MD5

      a95c33af41a5ce76875f688de01f490f

      SHA1

      a57191165c5dedcc863bf5e6de59d86524fac95b

      SHA256

      4eb1c28be2791f73abbb7caffbe3ff96628813bbb8ab10f38cdb63a7e8fd2632

      SHA512

      ba8ca879018964a21c10658adf297486d996888b897d906336d89934dc494adafc01391f841323a7430c5e29f3d40bcb4073e28bd0a772012aa45b8da89ad4e1

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Presetup\icsuskey.exe
      Filesize

      172KB

      MD5

      981caaf0bbb52e42de8b8f4cb25d45cf

      SHA1

      0907e441c8feb7cdea8be6141af288ada0458958

      SHA256

      4ecd468b163b404534c85cca633d5e5c1e6fecdd064046a4d6956e4d4b11b7b1

      SHA512

      b0be2a3caf17f029e2c480eb5398c63fd33934198980d7e01321cd2dbc52a8c91079be9ec4a8041eb4c405d1f2c675d9d4393be7dda0a3809a115573eb844071

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Presetup\icsuskey.exe
      Filesize

      172KB

      MD5

      981caaf0bbb52e42de8b8f4cb25d45cf

      SHA1

      0907e441c8feb7cdea8be6141af288ada0458958

      SHA256

      4ecd468b163b404534c85cca633d5e5c1e6fecdd064046a4d6956e4d4b11b7b1

      SHA512

      b0be2a3caf17f029e2c480eb5398c63fd33934198980d7e01321cd2dbc52a8c91079be9ec4a8041eb4c405d1f2c675d9d4393be7dda0a3809a115573eb844071

      Download Submit

    • C:\Windows\SysWOW64\dcomperf.exe
      Filesize

      341KB

      MD5

      6cadb955f78ae587d525ee714fc431d0

      SHA1

      23be952782126ed5f9a26223e1fba8dc5a5fda30

      SHA256

      f50e655ae92bbb753e145cbb905a985db854cafd4af7b60a30ca88010f912797

      SHA512

      a3b1f64e1e4ae391eff08d5edd94e47dd3b8e60819819a102e8a06bc7baa4a86e55cd0c00b113b780d65abe9a86b4301048295b6352c73d972b16e5ba9aff515

      Download Submit

    • C:\Windows\SysWOW64\dcomperf.exe
      Filesize

      341KB

      MD5

      6cadb955f78ae587d525ee714fc431d0

      SHA1

      23be952782126ed5f9a26223e1fba8dc5a5fda30

      SHA256

      f50e655ae92bbb753e145cbb905a985db854cafd4af7b60a30ca88010f912797

      SHA512

      a3b1f64e1e4ae391eff08d5edd94e47dd3b8e60819819a102e8a06bc7baa4a86e55cd0c00b113b780d65abe9a86b4301048295b6352c73d972b16e5ba9aff515

      Download Submit

    • \Users\Admin\AppData\Local\Temp\~5909.tmp
      Filesize

      6KB

      MD5

      80bcb0449794dd6c238433a3bd26f5a0

      SHA1

      8401251d30803d2bbf0b5b30c027f7446c2d0542

      SHA256

      e07abfe8de7d8acdf74f2ffd3b84e2bd1dbaac5eeffceef4051e21bbc3f02bba

      SHA512

      c5d8a80acf601b19a1cdeb6f129ba37fb3620ddd031c5cd67f8f1e1e26247f3243b884d4bb305f614b794aec42820c69373644309e79c4066c6df7c0f6fc2870

      Download Submit

    • \Users\Admin\AppData\Roaming\Presetup\icsuskey.exe
      Filesize

      172KB

      MD5

      981caaf0bbb52e42de8b8f4cb25d45cf

      SHA1

      0907e441c8feb7cdea8be6141af288ada0458958

      SHA256

      4ecd468b163b404534c85cca633d5e5c1e6fecdd064046a4d6956e4d4b11b7b1

      SHA512

      b0be2a3caf17f029e2c480eb5398c63fd33934198980d7e01321cd2dbc52a8c91079be9ec4a8041eb4c405d1f2c675d9d4393be7dda0a3809a115573eb844071

      Download Submit

    • \Users\Admin\AppData\Roaming\Presetup\icsuskey.exe
      Filesize

      172KB

      MD5

      981caaf0bbb52e42de8b8f4cb25d45cf

      SHA1

      0907e441c8feb7cdea8be6141af288ada0458958

      SHA256

      4ecd468b163b404534c85cca633d5e5c1e6fecdd064046a4d6956e4d4b11b7b1

      SHA512

      b0be2a3caf17f029e2c480eb5398c63fd33934198980d7e01321cd2dbc52a8c91079be9ec4a8041eb4c405d1f2c675d9d4393be7dda0a3809a115573eb844071

      Download Submit

    • memory/588-78-0x0000000070C8D000-0x0000000070C98000-memory.dmp

      Filesize

      44KB

      Download

    • memory/588-75-0x000000006FCA1000-0x000000006FCA3000-memory.dmp

      Filesize

      8KB

      Download

    • memory/588-84-0x0000000070C8D000-0x0000000070C98000-memory.dmp

      Filesize

      44KB

      Download

    • memory/588-83-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/588-80-0x0000000070C8D000-0x0000000070C98000-memory.dmp

      Filesize

      44KB

      Download

    • memory/588-76-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/588-74-0x0000000072221000-0x0000000072224000-memory.dmp

      Filesize

      12KB

      Download

    • memory/616-82-0x000007FEFB8D1000-0x000007FEFB8D3000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1132-55-0x0000000075561000-0x0000000075563000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1132-54-0x00000000000E0000-0x0000000000148000-memory.dmp

      Filesize

      416KB

      Download

    • memory/1212-72-0x0000000002960000-0x00000000029A1000-memory.dmp

      Filesize

      260KB

      Download

    • memory/1212-66-0x0000000002960000-0x00000000029A1000-memory.dmp

      Filesize

      260KB

      Download

    • memory/1596-71-0x00000000004C0000-0x0000000000528000-memory.dmp

      Filesize

      416KB

      Download

    • memory/1696-62-0x0000000000070000-0x00000000000AE000-memory.dmp

      Filesize

      248KB

      Download